So turns out using Deployment Kit is the easiest way to be able to perform FLR to Windows from a Vsphere backup.
Deployment kit by default contains a certificate of validity 1 month. Does the agent (transport service etc.) stop working after that? How do we manage those certs as we generally do not do many agent-based backups but want to be able to do FLR to original destination nevertheless.
Thanks!
Best answer by Chris.Childerhose
The agent will not stop working as the deployment kit certificate is used to make the connection to the VBR server and once that is there you are good forever. I think the 1 month is to ensure you use the kit before that expires to add it to your VBR server.
+21The agent will not stop working as the deployment kit certificate is used to make the connection to the VBR server and once that is there you are good forever. I think the 1 month is to ensure you use the kit before that expires to add it to your VBR server.
+9Hi
I think that will be the behavor.
The certificate that comes with the Veeam Deployment Kit does have a limited validity (typically 30 days), but its expiration does not break FLR or agent operations in the way people often fear.
The certificate is used only to establish trust during the initial deployment of the temporary agent (transport service) to the target machine.
Once the agent is deployed and the secure channel is established, the operation continues even if the certificate expires during or after the restore.
The agent does not suddenly stop working when the certificate reaches its expiration date.
FLR from a vSphere backup uses a temporary agent deployed at restore time.
As long as the Deployment Kit is valid at the moment the restore session is started, FLR works normally.
You do not need a permanently installed agent or a long-lived certificate on the target machine.
Since you don’t often do agent-based restores but want to keep FLR available:
Best practice:
Keep the Deployment Kit installed on the Veeam server.
When you actually need to perform an FLR, simply redeploy or refresh the Deployment Kit (which regenerates a valid certificate).
This takes only a few minutes and does not require reconfiguring your backup infrastructure.
Hope that helps.
Sorry
Why would I have to redeploy/refresh the deployment kit (at the end of the post) if it does not break FLR once the initial cert expires (at the top of the post)?
Also FLR to Windows, which this was about, seems to install Veeam Transport Service, which is persistent on the client, not ephemeral, like in Linux (without deployment kit).
Why would I install Deployment kit on the Veeam server?
+11So turns out using Deployment Kit is the easiest way to be able to perform FLR to Windows from a Vsphere backup.
Deployment kit by default contains a certificate of validity 1 month. Does the agent (transport service etc.) stop working after that? How do we manage those certs as we generally do not do many agent-based backups but want to be able to do FLR to original destination nevertheless.
Thanks!
Hi
As
Deploying Veeam Agents - Veeam Backup & Replication User Guide
case 1
Automatic deployment via Protection Group where you can use administrative credentials
case 2
Pre-installation of Veeam services does not use administrative credentials but a certificate and utilises the deployment kit for hardened environments.
case 3
Manual deployment with generated setup
Deploying Veeam Agents Using Generated Setup Files - Veeam Backup & Replication User Guide
Best regards.
The only confusing part is that they write about protection groups all the time, however we mostly do block-based backups (and file level restore most of the time). Except of course when it comes to Exchange or RMAN for instance which requires an agent.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.